Which Cloud Storage Services are HIPAA Compliant?

As a First Step

Before one even starts to find out which are the HIPAA compliant cloud storage services you need to acquaint yourself with what is necessary for them to be able to make this claim. If you are looking for HIPAA compliant storage you are probably aware that you have a need for it and, as such, will have a basic understanding of what HIPAA requires from you when storing data. In simple terms a HIPAA compliant clouds storage provider has to follow the same regulations.

Looking for HIPAA Compliant Storage Providers.

There are two ways to find a HIPAA compliant cloud storage provider. You could as a trusted friend of colleague or search the internet. In either way the obligation is on you to carry out due diligence before entrusting your data to your chosen company. Any company that claims to be HIPAA “HIPAA Certified” is one to stay clear of. They may actually comply with HIPAA requirements but, as there is no such thing as an approved certification system, they are misleading you from the start. If they are not truthful on that what else are they misleading you on? Remember the obligation is on you to ensure that you electronic patient health information (ePHI) is secure.

What to Look For.

Any reputable cloud service provider will be independently audited every year. This will be carried out in accordance with the HIPAA Audit Protocols for both their method of operation and their infrastructure. Ideally this will be measured against the Office of Civil Rights laid down criteria. They HIPAA cloud storage provider will expect and be willing to sign a business associate’s agreement (BAA). This must be a written agreement between you and the HIPAA compliant cloud storage provider. The agreement lays down what your cloud storages provider will do for you. It also confirms that it will work within the requirements of HIPAA requirements.

Questions you May Wish to Ask During your Due Diligence.

• Review their annual security audit and check the standard on which is judged by.

• Does the company have a past track record in dealing with all the HIPAA requirements?

• Do they have procedures in place to ensure business continuity and what are they?

• Who is it within the organization that has the responsibility to ensure that it is HIPAA compliant?

Once all these questions can be answered to your satisfaction you can be reasonably sure that the cloud service provider you have chosen will be able to provide you with HIPAA compliant cloud storage. The penalties for failing to ensure that your provider is fully HIPAA compliant can be severe. In the worst cases a fine of up to $250,000 and up to 10 years imprisonment are able to be applied. Even in the smaller breaches there is, in addition to a fine a place on the Department of Health and Human Services’ (HHS) Wall of Shame.